Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-j2pw-vp55-fqqj

Опубликовано: 28 фев. 2024
Источник: github
Github: Прошло ревью
CVSS3: 9.1

Описание

Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID

Impact

When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend.

This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers.

Patches

Upgrade to Flask-AppBuilder 4.3.11

Workarounds

If upgrade is not possible add the following to your config:

from flask import flash, redirect from flask_appbuilder import expose from flask_appbuilder.security.sqla.manager import SecurityManager from flask_appbuilder.security.views import AuthOIDView from flask_appbuilder.security.forms import LoginForm_oid basedir = os.path.abspath(os.path.dirname(__file__)) class FixedOIDView(AuthOIDView): @expose("/login/", methods=["GET", "POST"]) def login(self, flag=True): form = LoginForm_oid() if form.validate_on_submit(): identity_url = None for provider in self.appbuilder.sm.openid_providers: if provider.get("url") == form.openid.data: identity_url = form.openid.data if identity_url is None: flash(self.invalid_login_message, "warning") return redirect(self.appbuilder.get_url_for_login) return super().login(flag=flag) class FixedSecurityManager(SecurityManager): authoidview = FixedOIDView FAB_SECURITY_MANAGER_CLASS = "config.FixedSecurityManager"

Ссылки

Пакеты

Наименование

Flask-AppBuilder

pip
Затронутые версииВерсия исправления

< 4.3.11

4.3.11

EPSS

Процентиль: 76%
0.0096
Низкий

9.1 Critical

CVSS3

CVE ID

CVE-2024-25128

Дефекты

CWE-287

Связанные уязвимости

ubuntu логотип

CVE-2024-25128

CVSS3: 9.1
ubuntu
почти 2 года назад

Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the OpenID 2.0 authorization protocol. Upgrade to Flask-AppBuilder 4.3.11 to fix the vulnerability.

nvd логотип

CVE-2024-25128

CVSS3: 9.1
nvd
почти 2 года назад

Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the OpenID 2.0 authorization protocol. Upgrade to Flask-AppBuilder 4.3.11 to fix the vulnerability.

debian логотип

CVE-2024-25128

CVSS3: 9.1
debian
почти 2 года назад

Flask-AppBuilder is an application development framework, built on top ...

EPSS

Процентиль: 76%
0.0096
Низкий

9.1 Critical

CVSS3

CVE ID

CVE-2024-25128

Дефекты

CWE-287